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Abstract 

The synchronisation of Tree Parity Machines (TPMs), has proven to 
provide a valuable alternative concept for secure symmetric key exchange. 
Yet, from a cryptographer's point of view, authentication is at least as 
important as a secure exchange of keys. Adding an authentication via 
hashing e.g. is straightforward but with no relation to Neural Cryptogra- 
phy. We consequently formulate an authenticated key exchange within 
this concept. Another alternative, integrating a Zero-Knowledge protocol 
into the synchronisation, is also presented. A Man-In- The-Middle attack 
and even all currently known attacks, that are based on using identically 
structured TPMs and synchronisation as well, can so be averted. This in 
turn has practical consequences on using the trajectory in weight space. 
Both suggestions have the advantage of not affecting the previously ob- 
served physics of this interacting system at all. 

1 Introduction 

The symmetric key exchange method based on the fast synchronisation of two 
identically structured Tree Parity Machines (TPMs) was proposed by Kanter 
and Kinzel |2] ■ Their exchange protocol is realized implicitly by a mutual adap- 
tation process between two parties A and _B, not involving large numbers and 
methods from number theory 

Making sure, that the two parties involved are also allowed to perform this 
protocol is the cryptographic process of (entity) authentication. In the area 
of cryptography, authentication is an important step still before key exchange 
or even the en-/decryption of information with an exchanged secret key 0. 
Adding classical authentication e.g. via hashing to the Neural Cryptography 
concept is straightforward but is not embedded into the concept itself. We 
think it is thus desirable to formulate an authentication concept from within 
Neural Cryptography, based on the original TPM synchronisation principle and 
keeping the practical advantage of not operating on large numbers. 

We first briefly recapitulate the parallel-weights version, in which weights 
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are identical in both TPMs after synchronisation, using hebbian learning and 
the so-called bit package variant of the protocol The anti-parallel- weights 
version, using anti-hebbian learning and leading to inverted weights at the other 
party, can be considered for our purpose as well but is omitted for brevity. The 
notation A/B denotes equivalent operations for the parties A and B. A single 
A 01 B denotes an operation which is specific to one of the parties. 

The TPM consists of K hidden units (1 < fc < K) in a single hidden- 
layer with non-overlapping inputs and a single unit in the output-layer. The 
particular tree structure has binary inputs, discrete weights and a single binary 
output as depicted in Figure^. 




(a) 



(b) 



Figure 1: (a) The tree parity machine (TPM) generates a single output - the 
parity of the outputs of the hidden units, (b) For mutual learning, outputs on 
commonly given inputs are exchanged between the two parties A and B. 



Each hidden unit k receives different N inputs Xkj{t) {I < j < N), lead- 
ing to an input field of size K ■ N. The vector-components Xkj{t) £ { — 1, 1} 
are random variables with zero mean and unit variance. They can e.g. be 
coded as bits generated by a Linear Feedback Shift Register (LFSR) as pseudo- 
random number generator. The output 0^^'^{t) G {—1,1}, given bounded 
weights w^!j'^ {t) G [— i, L] C Z (from input unit j to hidden unit k) and common 
pseudo-random inputs x^j (t) , is calculated by a parity function of the signs of 
summations: 
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(7 is a sign-function. 
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Parties A and B start with an individual randomly generated initial weight 
vector w^^^{to) - their secret. After a set of 6 > 1 presented inputs, where b 
denotes the size of the bit package, the corresponding b TPM outputs O^'^(i) 
are exchanged over the public channel in one package (see Figure^). The 
b sequences of hidden states y^^'^{t) G { — 1,1} are stored for the subsequent 
learning process. A hebbian learning rule is applied to adapt the weights, using 
the b outputs and b sequences of hidden states: 

- 1) + 0^^%t) x,,it) (2) 

They are changed according to Equation|21only on an agreement 0^{t) — 0^{t) 
on the parties' outputs. Furthermore, only weights of those hidden units are 
changed, that agree with this output, i.e. if O^'^(i) = y^''^{t). Updated weights 
are bound to stay in the maximum range [—L, L] C_ Z hy reflection onto the 
boundary values. 

Synchrony is achieved when both parties have learned to produce each others 
outputs. They remain synchronised (see Equation [21 and continue to produce 
the same outputs on every commonly given input. This effect in particular 
leads to common weight-vectors w'^^^{t) in both TPMs in each following iter- 
ation. These weights have never been communicated between the two parties 
and can be used as a common time-dependent key for encryption and decryption 
respectively. 

A test for synchrony can of course not practically be defined by checking 
whether weights in both nets have become identical. One rather tests on suc- 
cessive equal outputs in a sufficiently large number of iterations t„i„ , such that 
equal outputs by chance are excluded. 

yte[t'r-- ,t' +trmn]: {t) = {t) . (3) 

The synchronisation time was found to be finite for discrete weights. It is 
almost independent on N and scales with InA^ for very large even in the 
thermodynamic limit N ^ oo. Furthermore, it is proportional to jH|. Our 
investigations confirmed that the average synchronisation time is distributed 
and peaked around 400 for the parameters given in 0. The number of bits 
required to achieve synchronisation is lower than the size of the key |2 
Secret key agreement based on interaction over a public insecure channel is also 
discussed under information theoretic aspects by Maurer 6 , also with regard 
to unconditional security. 

2 Authentication through secret common inputs 

In the original key exchange protocol, the structure of the network, the involved 
computations producing the output 0^''^{t) (Equation QJ, the adaptation-rule 
(Equation 121 ) and especially the common inputs Xkjit) are public. The only 
secrets involved are the different initial weights w^^^'^ (to) of the two parties. 
If they were not secret, the resulting keys could simply be calculated (by an 
adversary), because all further computations are completely deterministic. 
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An elegant solution to include authentication into the neural key exchange 
protocol comes from the observation, that two parties A and B which do not 
have the same input vectors 

: x^{t)^x''{t) (4) 

cannot synchronise. Remember, that the aim of the two-party-system is to learn 
each others outputs on commonly given inputs. Given different inputs, the two 
parties are trying to learn completely different relations (two different nonlinear 
mappings) between inputs x^^^{t) and outputs 0'^^'^{t). Consequently, when 
the two parties do not synchronise, there also will not be time-dependent equal 
weights w^^^{t) and thus no exchange of a key. This again is exactly the service 
one would want to restrict only to authorised parties employing an explicit 
authentication. 

We experimentally investigated the development of normalised sum of abso- 
lute differences d{w^{t), (t)) e [0, 1] over time for different offsets 

\/t: x^(t)=x''{t + A), AeN (5) 

in the (pseudo-random) input-list and for completely different input-lists. The 
first situation represents an attacker, who has a different initialisation of his 
pseudo-random number generator. The second situation is typical for an at- 
tacker with incomplete or even completely differently generated inputs. One 
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Figure 2: Distance d vs. the number of exchanged bits (iterations t) for offset 
zero (successful authentication), offsets one and ten, as well as for completely 
different inputs. 

can observe in Figure El that the distance between two parties that do not pos- 
sess the same inputs remains fluctuating within a certain limited range around 
0.4 and never decreases towards zero. We also investigated different offsets with 
the same qualitative outcome. Two parties with completely different inputs 
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(although not reahstic given a concrete and pubHcly known LFSR as pseudo 
random number generator) show the same qualitative behaviour. Considering 
the number of repulsive and attractive steps, one can constitute, that on aver- 
age there must be as many repulsive as attractive steps for such a behaviour 
(cf. JOI)- Two parties having the same inputs (offset zero) soon decrease their 
distance and synchronise. 

Another test was performed with identical inputs but by imposing a cer- 
tain percentage of equally distributed 'noise' on the communicated outputs of 
one party. It allows to demonstrate the importance of common inputs for the 
synchronisation process. If such a noise would appear only in a certain period, 
the system would still synchronise but with a delay of roughly the length of the 
noisy period plus the time used up for unsuccessful synchronisation before the 
noisy period, which is thus not the interesting case. 

150 1 ' ' ' ' , 1 




Figure 3: Peaks of the histogram (average over 1000 runs) of the iterations 
necessary for synchronisation for different percentages of noise on the commu- 
nicated output bits of one party. The curves for one and two percent noise were 
omitted, as they almost match with the zero percent curve. 

As can be seen in Figure |2 the distribution of synchronisation times is flat- 
tened and biased towards longer times for increasing noise. Surprisingly, the 
system can still synchronise even with highly noisy communication. Obviously, 
the (coordinated) inputs basically determine the synchronisation. The aver- 
age synchronisation time is of course increased as is the probability for a late 
synchronisation. 

A superficial explanation of the observed behaviour is, that the principle is 
based on mutual learning from common inputs and thus on principle cannot 
work with differing inputs. More concretely, the random walks with reflecting 
boundaries performed by the weights in the iterative process now make uncorre- 
lated moves and moves in the wrong direction (cf. |l(Jllllj ). Two corresponding 
components (t) and w^, (t) now receive a different random component Xkj (t) 
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of their (diflFering) input vectors (cf. Equation QJ. The distance between the 
components is thus no longer successively reduced to zero after each bounding 
operation and the two parties diverge. 

The non-synchronisation in the case of no common inputs, therefore enables 
us to incorporate authentication by keeping the common (pseudo-random) in- 
puts x"^^'^{t) secret between the two parties in addition to their individual secret 
(random) initial weig hts w^^^ito). There are 2^^ - 1 possible common inputs 
as second initial secrets, which is a large enough practical amount for the pa- 
rameters as chosen in |2 that makes brute force attacks computationally very 
expensive. Even more, a Man-In-The-Middle attack and all other currently 
known attacks [Sj |3] using TPMs are averted on principal by such an authen- 
tication. It is important to note, that such a second secret does not represent 
any principal disadvantage, because a basic common information is always also 
necessary in other authentication protocols (cf. [J]). 

As opposed to asymmetric approaches in which a third party that can be 
trusted issues a second public key, in this symmetric approach a second secret 
information is necessary for authentication, with the advantage of not requiring 
a central authority. Using an asymmetric public-key authentication like e.g. in 
the Fiat-Shamir authentication scheme, a trusted center selects and publishes 
an RSA-like modulus, which is the second common (but public) information in 
addition to the private key. Therefore security is partly transferred to a third 
trusted party. 

3 Embedding a Zero-Knowledge protocol 

Although we have authentication already given the second secret described 
above, we make another suggestion explicitly incorporating a Zero- Knowledge 
(ZK) protocol (see e.g. |7j). It also requires a (second) secret but formally 
does not require the non-synchronisation in case of differing inputs. Although 
this may seem redundant at first glance, it allows to demonstrate how the two 
(already) interactive protocols can be merged and allow a quicker authentica- 
tion at the cost of an only statistical and thresholded secure authentication. 
ZK mechanisms generally allow to split a protocol into an iterative process of 
relatively light transactions, instead of a single (heavy) transmission. Typically 
such a principle depends on random numbers in some way. The security that 
can be achieved is probabilistic, i.e. depending on the number of interactions, 
but security can always be increased beyond some acceptable variable security 
threshold. 

Again we take the inputs of the TPM as a second common secret. The 
probabihty of an input vector x^^"{t) having a particular parity p G {0, 1} is 
0.5. This parity will now be used directly as an output bit O'^^^(i) for an 
authentication step. The probability of both parties having the same output bit 
upon a given input at any given time t is 

PiO-it)=p = 0-it)) = l/2. (6) 
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Given a number n {1 < n < a) oi pure authentication steps, in which one 
transmits the parity of the corresponding input vector as output O^''^ directly, 
the probability that the two parties subsequently produce the same output n 
times (and thus are likely to have the same n inputs) decreases exponentially 
with n 



Consequently, in order to have a statistical security of e G [Oj 1[ one has to pick 
n — a authentication steps such that 



One achieves a statistical security e = 0.9999 (i.e. 99.9999 %) with a = 14, 
for example. The synchronisation time for the ZK variant thus increases by a 
authentication-steps depending on the required level of security e. 

The questions arises, when to perform those authentication steps and what 
happens in the case of a synchronisation earlier than authentication, which is 
possible due to the distribution of synchronisation times? One obviously has 
to pick those entries in the input list used for authentication only such that 
the security threshold will be reached soon enough with a certain probability. 
This can be achieved by selecting a certain bit sub-pattern in the input vector. 
Inputs are equally distributed by definition and thus the last say m bit are also 
equally distributed. One can thus select those entries that possess a defined bit 
sub-pattern (e.g. '0101' for m = 4). The probability of such a fixed bit sub- 
pattern of m bit to occur is 1/2"*, because each bit has a certain fixed value with 
a probability of 0.5 and the individual bits occur independently from the LFSR. 
Thus for four bit, on average every 16th input would be used for authentication. 
When this sub-pattern occurs, one performs an authentication step in transmit- 
ting the parity of the corresponding input vector directly as output 0"^^^{n). 
This will (definitely) only happen at the other party (and with the same output!) 
if it has the same inputs. Having successfully performed a authentication-steps, 
one commences with the synchronisation and key exchange. 

Such an authentication does not influence the learning process at all, which 
transfers all behaviour of the TPM synchronisation to this extended principle. 
Due to the fact that the inputs are secret, an attacker cannot know when exactly 
such an authentication step is happening. This e.g. would not be the case, if 
one would reserve the first iterations only for authentication. An attacker could 
just record one session and replay the authentication steps (using the recorded 
outputs) when performing his attack. 

Let us elaborate on three important properties of a ZK protocol (cf. e.g. |Zj) 
and see how they apply in the context of proposed authentication principles: 

1. Completeness - A always succeeds in convincing B if he knows the com- 
mon secret: If A knows the common secret in the form of having the same 



PiO'\n) = Cl^(n)) = 1/2" ;Vn . 



(7) 



1 - 1/2" > e 



(8) 



which can be calculated in advance as 




(9) 
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inputs, he will always synchronise within a finite time (typically around 
400 iterations for the parameters used in In the case of the second au- 
thentication principle, A will reach the security threshold e in the specified 
a authentication steps. Thus both protocols are complete. 

2. Soundness - A succeeds with (arbitrary) small probability if he does not 
know the secret of B: If A docs not know the common secret and has 
different inputs, synchronisation will fail. The two parties will always be 
driven apart again by the repulsive steps. He will thus succeed with a 
probability of zero. In the case of the explicit authentication principle, A 
will not reach the security threshold e in the specified a authentication 
steps and will be rejected. Thus both protocols are sound. 

3. Zero-Knowledge - No information on the common secret is leaked at all 
while the interactive protocol is performed. This property can be at- 
tributed back to the lack of information in the transmitted output bits 
(or Bit Packages). The only information transmitted is the parities of 
unknown bit-strings. The same holds for the parities of the inputs cho- 
sen (pseudo-randomly) only for authentication in the case of the explicit 
authentication principle. Again only the parities of randomly generated 
input bit vectors are transmitted. An attacker also cannot distinguish an 
authentication step from a synchronisation step from observing the ex- 
changed outputs. He thus does not know, whether the currently observed 
output bit is used for either of the two purposes if he does not know the 
second secret. Both protocols thus possess the Zero-Knowledge property. 

Both suggestions for authentication could after all be viewed as ZK protocols, 
one implicit and one explicit, due to their interactive questioning nature that 
does not reveal information on the common secret. Furthermore, any previous 
findings on the physics of the synchronisation of TPMs still apply. Obviously, 
the bit packaging variant of the protocol together with the ZK extension is a 
typical parallel interaction protocol (cf . T ) . In such a parallel protocol, a num- 
ber of problems (b outputs of party A) are posed an and a number of solutions 
(6 corresponding outputs of party B) at a time are asked. This is generally 
used to reduce the number of interaction messages with a slow-response-time 
connection or low-bandwidth channel. 

The general trade-off in cryptography between available resources and the 
required level of security also applies using the TPM principle. In many practical 
embedded security solutions e.g. it is often admissive to provide a system safe 
enough for the particular application, and given certain attack scenarios. The 
TPM principle extended with the proposed authentication is very attractive 
for such embedded applications due to its hardware-friendly basic operations 

HI US]. 
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4 Consequences on using the weights' trajectory 



As mentioned in the introduction, once synchronous, the two parties remain 
synchronised having identical weights in each following iteration. This mode of 
operation was regarded potentially insecure by the authors in 0m with respect 
to the possible attacks with identical TPMs on the ongoing communication. We 
would like to comment on that with two basic considerations: 

1. When the two parties are synchronous they will also have the same out- 
puts in each iteration. Thus, one can as well turn off the communication, 
because all following outputs will be identical anyway and thus do not 
need to be communicated any longer. Each party can then simply apply 
the learning rule (Equation|2Jl with its own output. Consequently, staying 
in the trajectory does not automatically represent a security weakness as 
stated in 0m . Only if a TPM attacker achieved to synchronise before or 
at the same time as the two parties, he will have the keys from the trajec- 
tory. But the problem of a possible attack on the ongoing communication 
can be avoided as described above. 

2. Given the herein proposed authentication refutes the currently known at- 
tacks with TPMs on principle. An attacker with a TPM will not be 
successful in synchronising, not even if the communication after synchro- 
nisation goes on. This allows to securely exploit the full potential of the 
trajectory. 

In particular after having synchronised once, one can increase the final key 
length by concatenating subsequently synchronised 'partial- keys' from the tra- 
jectory at the negligible cost of one or a few further iterations, depending on 
the partial-keys length and the desired final key length. Furthermore, one could 
even encrypt each given data block to be transmitted securely with a separate 
key, effectively yielding a one-time pad with a maximum length equal to the 
length of the period (of the trajectory). In this case, even a less sophisticated 
but low-cost encryption like simple XOR or LFSR becomes applicable. 

There are 2^^^ — 1 theoretically possible K ■ N ■ L bit keys but the length of 
the period (of the trajectory) has so far not been calculated. We also performed 
software simulations and did not find two identical 612 bit keys in a million runs 
not using the trajectory. 

5 Conclusion 

Two ways of establishing authentication from within the concept of Neural 
Cryptography were presented. Next to the key establishment itself, such an 
authentication is of primary interest in cryptography and its applications. Using 
the common inputs as a second secret for authentication, we investigated the 
distance of the two parties' weight vectors for different offset in their inputs 
and for completely different inputs. No synchronisation appears, as expected. 
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Another explicit authentication principle (based on the same underyling secret), 
naturally integrating a Zero-Knowledge protocol into the already interactive 
key exchange concept was discussed and concrete suggestions for its application 
were derived from probabilistic considerations. It turns out that authentication 
is inherently provided by the underlying synchronisation principle of Neural 
Cryptography. 

Above all, using authentication of this kind averts all currently known at- 
tacks and a previously possible Man-In-The-Middle attack, which assume the 
full knowledge on the inputs to the TPMs. Any (non brute force) attack now 
needs to extract information from the communicated outputs. Furthermore a 
(differential) power analysis on a concrete software or hardware implementation 
could be tried, which is yet an attack on a rather technical level. The outlined 
consequences of being able to securely stay in the trajectory in weight space are 
of significant practical importance. 

It is thus our hope, that the discussion of this extraordinary key exchange 
principle and related concepts (see e.g. [Q) will continue, within the physics 
community and also the cryptography community. 
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